In the coming year, the Zero Day Initiative will be ten years old. It is the most mature vulnerability bug bounty program around…

It would be easy to be complacent: We love what we do. We work with brilliant researchers. Our work contributes to great products and a more secure enterprise computing landscape… We are very proud of that. And yet, when one starts thinking this way, isn’t is also time for a change? We looked, and will continue to look, at ways to make our program better. One very clear way to push ourselves, and our partners, to increase our commitment to the contributing independent researchers who entrust us with their work, and most of all, to push our commitment to more secure computing, is to draw in our public disclosure deadline.

In a presentation at RSA today, we announced that vendors are asked to develop a fix for a reported vulnerability within 120 days of receiving our product vulnerability report. This begins with reports received on or after March 1. Historically, we have requested that vendors work to develop a fix for the reported product vulnerability, within 180 days of receiving our product vulnerability report.

Why change?Our purpose in changing the policy is to push vendors to decrease the amount of time it takes them to react to responsibly disclosed vulnerabilities and to reduce the attack surface faster. We know the public is already at risk. The vulnerabilities exist. Researchers, white hats - and black hats - are actively looking for them every day.

Is this realistic for large vendors?The evidence is, absolutely! They are actually responding in closer to 120 days already. It seems that we have grown together…

In 2010:• ZDI was publishing around 100 vulnerabilities a year• 30% of them were > 365 days• To address sluggish or non-existent response by vendors, the ZDI instituted a 180-day public disclosure policy

In 2011:• Every one of the “Top 10” vendors had at least 1 vulnerability >180 days

Overall, vendor timelines are greatly reduced. We thank these vendor partners for their increased commitment to secure coding and regular patching. We look forward to continuous growth and improvement together.